COMPLEMENTS AND SIGNED DIGIT REPRESENTATIONS: 
ANALYSIS OF A MULTI-EXPONENTIATION-ALGORITHM OF WU, 

LOU, LAI AND CHANG 

CLEMENS HEUBERGER AND HELMUT PRODINGER 

Abstract. Wu, Lou, Lai and Chang proposed a multi-exponentiation algorithm using 
binary complements and the non- adjacent form. The purpose of this paper is to show 
that neither the analysis of the algorithm given by its original proposers nor that by other 
authors are correct. In fact it turns out that the complement operation does not have 
significant influence on the performance of the algorithm and can therefore be omitted. 
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**& ! 1. Introduction 

An efficient way to compute a power a n is to use the binary expansion £\. dp? of n and 
r \ \ compute a n by a square and multiply algorithm [10] , 

*S : a ^=o d ^ = (((a d *- 1 ) 2 -a d *-*) 2 ---a dl ) 2 a d0 , 

a'. 

where the number of squarings needed is £ — 1, whereas the number of multiplications by 
a dj equals to the number of nonzero dj minus 1 (under the assumption that di-\ = 1), 

y—i '. because multiplications with a can be omitted. Among the various possible optimisations 

is the use of signed digit representations, i.e., allowing digits —1 also, which results in 
multiplications by a -1 . This is of particular interest if a -1 is known or can be computed 

C"-- easily, e.g., in the point group of an elliptic curve. 

Some cryptosystems also need multi-exponentiation JT - =1 a" J (usually for D e {2,3}). 
A trivial approach would be to compute a™ J separately for j E {1, . . . , D} and multiply the 
results, however, Strauaj [15] demonstrated that an interleaved approach leads to better 
results. For simplicity of exposition, we restrict ourselves to D = 2 at this point, although 

>: 
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This approach is frequently called Shamir's trick, we refer to |2] for a discussion of this attribution. 
Similar suggestions have been made in [TT] and [1]. 
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the method works for arbitrary D. For computing a m b n , we take binary expansions m = 
^2j=qCj^ and n = , £2jl dj2 : > and compute 

If a c 6 d are precomputed for all admissible pairs of digits (c, d), then the number of squar- 
ings equals £ — 1 and the number of multiplications by a Cj b j equals the joint Hamming 
weight, i.e., the number of pairs (cj,dj) 7^ (0,0), minus one (under the assumption that 
(q_i, dt-\) 7^ (0, 0)) plus the time needed for the precomputation, which is clearly constant 
and does not depend on the length of the expansion. In dimension D = 2, pairs of integers 
can be identified with complex numbers as proposed in [TT], but this is merely an other 
way to formulate the procedure. Allowing negative digits again, redundancy can be used 
to decrease the joint Hamming weight. 

As in the case of dimension 1, there is a syntactic condition which yields expansions of 
minimal joint Hamming weight, cf. [13] , 0> [12] • I n dimension D = 2, it is shown that 
these optimal expansions have expected Hamming weight (l/2)£ + 0(1), so that the total 
expected number of multiplications equalsj (3/2)£ + 0(1), cf. also [1] and [6]. We refer to 
[7j for a more detailed introduction with more references. 

The authors of [17] present an alternative approach in dimension D involving the com- 
plement of the binary expansion and claim that the expected number of multiplications 
of their algorithm equals 1.304£ + 0(1). This was followed by [16] whose authors claim to 
correct the result [TTJ and that the same algorithm needs 1.471^ + 0(1) multiplications on 
average. The purpose of this note is to show that both results are incorrect. We explain 
why the result cannot be better than the above optimal joint expansions (Theorem [JJ), 
show that the algorithm essentially corresponds to taking the NAF for both arguments 
(Theorem [2]) and give the correct expected number (14/9)£ + 0(1) = 1.555 . . . £ + 0(1) of 
multiplications (Theorem [3]). 

In Section El we collect notations and well-known results on digit expansions. Section [3] 
presents the algorithm proposed by [TTJ , which is analysed in Section HI Finally, in Sec- 
tion El we discuss where the errors in the probabilistic arguments of [TTJ and [TB] lie. 

2. Digit Expansions 

2.1. Digit Expansions of Integers. A signed digit expansion of an integer n is a word 

di-i . . . do over the alphabet { — 1, 0, 1} such that n = value(c^_i . . .d ) = Ylj=o dp? . The 
(Hamming) weight weight(<i^_i . . . d ) of d^\ . . . do is the number of non-zero digits dj. 

When all digits are in {0, 1}, we speak of the standard binary expansion of n (which 
must then be non-negative). The standard binary expansion of n is denoted by Binary (n). 

While every integer n admits infinitely many signed digit expansions, one special expan- 
sion has attracted particular attention. 

Definition 2.1. A signed digit expansion dg-i . . . do is called a Non- Adjacent- Form (NAF), 
if djdj+i = for all j, i.e., there are no adjacent non-zero digits. 



The authors of [T7] and [IB] erroneously write 1.503£ without further comment. 
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Reitwiesner [13] showed that every integer n admits a unique NAF, denoted by NAF(n), 
and that NAF(n) minimises the Hamming weight over all signed digit expansions of n. The 
NAF is known under various names, e.g., the canonical signed digit expansion. 

The ones' complement of a standard binary expansion d^\ . . . do is g^_i . . . d , where 

d=l-d= 

It is immediate from the definition that 

value(<i£_i ...do) = 2 — value(c^_i . . . do) — 1. 
This can be seen as another signed digit expansion, 

value(d £ „i ...d )= value(l(-d/_i) . . . (-d 1 )(-d - 1)), 
with the exception that the least significant digit is now in { — 1, —2}. 

2.2. Digit Expansion of Vectors. A signed digit joint expansion of an integer vector 
( m ) is a word d^" 1 ) . . . d^ over the alphabet {-1, 0, l} 2 such that 



d U) 



( m )=value(d^ 1 )...d(°)) = ]Td^. 

3=0 

The joint (Hamming) weight of d^ -1 ) . . . d^ is the number of j with d^ ^ := ( n ). The 

components of d^ are written as 

So, the digits are now column vectors. One simple way to obtain such a joint expansion 
is to independently choose two signed-binary expansions d[~ . . . d\ and d 2 ~ . . . d 2 of 
m and n, respectively, and to write them on top of each other. In order to achieve small 
joint weight, one might take the NAFs of m and n and write them on top of each other; 
the expected joint weight is (5/9)£ + 0(1), cf. [6]o 

Solinas [14] discussed the "Joint Sparse Form" , a joint expansion which minimises the 
joint weight over all joint expansions of the same pair of integers. Here, we use a simplified 
version introduced in [5]. 

Definition 2.2. A joint expansion d^ -1 ) . . . d^ is called a Simple Joint Sparse Form 
(SJSF), if the following two conditions hold for all j > 0: 

(1) If Id^l + |4 j) |, then |4 i+1) | = \d { t\ 

(2) If \df\ = |4 J) | = 1, then d u+1) = 0. 



The heuristic argument to see this would be that the expected number of zeros in a NAF is (2/3)^+0(1), 
thus the expected number of digits vectors when writing two NAFs on top of each other should be 
(4/9)£ + 0(1), which leaves (5/9)£ + 0(1) for the Hamming weight. As we shall see when discussing the 
errors in |17j and |16j . such arguments do not take possible dependence of the digits into account and 
might lead to errors. Therefore, we refer to the precise analysis in [B]. 
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In [5], we proved that every pair of integers ( m ) admits exactly one SJSF, denoted by 
SJSF( m ), and that SJSF( m ) minimises the joint weight over all joint expansions of ( m ) 
with digits in { — 1, 0, 1}. In [6J, it was shown that the expected joint weight of a SJSF of 
length £ is (l/2)£ + 0(l). 



3. Multi-Exponentiation Algorithm 

We now present the algorithm of [TTJ in Algorithm [TJ We assume that a 1 1 a 2 2 have been 
precomputed for (d\, d-i) G {—1, 0, l} 2 and are used in Lines [3] and El It might happen that 
d k = —2, in that case, two multiplications are needed in LineEJ Note that the length of 
the NAF may exceed the length of the standard binary expansion by at most 1. 

Algorithm 1 Wu, Lou, Lai and Chang's [T7j Algorithm for Multi-Exponentiation 



Input: <2i, a 2 G G (some Abelian group), m, 7i2 G N 
Output: b = a n ^a r 2 2 



1 

2 

3 

4 

5 

G 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 
17 



£ = Llog 2 (max(7ii,n 2 ))J + 1 
for k — 1, 2 do 

^ _1) • • • fo fc 0) <"" Binary(n fc ) 

if weight(6^ 1) . . . bf ] ) > i/2 then 

{df . . . 4 0) ) - NAF(value((C 1) - 1) . . . {bf - 1))) 

df - 4 £) + 1 

4 0) -4 0) -i 

else 

(4 £) ...4 0) )-NAFK) 
end if 

{We have n k = value(4 • • • 4 )} 
end for 

*— a x a 2 

for j = £ — I downto do 

d U) d U) 
b <— b 2 ai a 2 2 

{We have 6 = a^ fe=J x a^ fc=J 2 } 
end for 



The idea of the algorithm is the following: If the weight of the binary expansion of the 
exponent rij is large (> i/2), then rij is represented by its complement and the NAF of 
the complement is used. The heuristic is that reducing the weight of the expansion before 
converting it to its NAF should result in a lower weight of the NAF. 

Note that after execution of Line [3] of Algorithm [TJ we have a joint expansion d^ . . . d^ ^ 
of n = Q) where d^ G {-1,0, l} 2 for j > and d^ G {-2, -1,0, l} 2 . The number of 
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group multiplications is I (for the squarings) plus 

i 
weighted w ...d (0) ) :=^max{|d^| : fee {1,2}} 

3=0 

minus 1 (no multiplication is required for the most significant digit). Note that for expan- 
sions with digits { — 1, 0, 1}, the notions of weigh^ and weight agree. 

4. Analysis of the Algorithm 

We will now extend the optimality proof for the SJSF from [5] to the case of digits from 
{—2, — 1, 0, 1, 2}. It turns out that we can allow arbitrary digits of absolute value at most 
2 without changing the result. In fact, we do not even need any particular properties of 
the SJSF. 

Theorem 1. Let d^ -1 ) . . . d^ be a word over the alphabet {— 2, — 1, 0, 1, 2} 2 and n = 
value(d^ _1 ) . . . d^). Then we have 

weight! (d (€_1) . . . d (0) ) > weight 1 (SJSF(n)) = weight(SJSF(n)), 

i.e., SJSF(n) minimises weighty over all expansions of n with digits in {—2,-1,0,1,2}. 

Before proving the theorem, we note that this already shows that the analysis in [T7] 
and [in] cannot be correct: 

Corollary 4.1. The expected number of group multiplications needed by Algorithm [1] is 

at least (3/2)1 + 0(1). 

Proof of Corollary \4-l\ For every n, the number of multiplications used by Algorithm [1] is 
not less then the number of multiplications needed when using the SJSF, which is known 
to be (3/2)£ + 0(1) from §\. D 

The essential step in the proof of Theorem [T] is the following lemma. 

Lemma 4.2. Let d^ _1 ) . . . d^ ) be a word over the alphabet {—2, —1, 0, 1, 2} 2 where k > 
digit vectors contain a digit of absolute value 2. Then there is a word c^ -1 ^...c^ 
over the alphabet {—2, —1,0, 1,2} 2 with less than k digit vectors containing a digit of ab- 
solute value 2, value(d^~ 1 ) . . . d< >) = value(c^'- 1 ) . . . c<°>) and weight^d^" 1 ) . . . d^) > 
weight^'" 1 )... c<°>). 

Proof. We prove the lemma by induction on weight 1 (d^ _1 ^ ) . . . d^). Choose j maximal such 
that d^ contains a digit of absolute value 2. We write d^ = 2q + r with q G { — 1, 0, l} 2 
and r e {0, l} 2 . We have weighted*'" 1 ) . . . d^'+ 2 ) (d^ +1 ) + q)) < weighted*'- 1 ) . . . d^) - 1 
and d^ -1 ) . . . d^ +2 \d^ +1 ^ + q) is an expansion with digits from {—2, —1, 0, 1, 2}, where 
digits of absolute value 2 can only occur in (d^ +1 ) + q). Thus, by induction hypothesis, 
there is an expansion c^ -1 ) . . . c^ +1 ) with digits from { — 1, 0, 1}, value(c^ _1 ) . . . c (j+1 )) = 
value(d^- 1 ) . . . d&' +2 )(dtf +1 > + q)) and 

weighs (c^'- 1 ) . . . c^' +1 )) < weight 1 (d^ 1 ) . . . d&' +2 > (d^ + q)). 
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Setting c^c^ 1 ) . . . c^ = rd^ 1 ) . . . d<°>, we see that 
weight! (c^'- 1 ) . . . c<°>) < weight! (d^ 1 ) . . . S j+2 \S j+1 ^ + q)) + weight^rd^ 1 ) . . . d^) 

< weight! (d^ 1 ) . . . d^d (i+1) ) + 1 + 1 + weighti (d^- 1 ) • • • d (0) ) 
= weighs (d^.-.d^) 

and that c^' _1 ) . . . c^ satisfies the requirements of the lemma. □ 

We are now able to prove Theorem [TJ 

Proof of Theorem [7J Repeated application of Lemma 14.21 shows that there is an expansion 
c^' -1 ) . . . c(°) with digits from { — 1, 0, 1} with value(c^ _1 ) . . . c^) = n and 



weighti (d (£ - 1} • • • d(0) ) > weighti (c 



(/-i) _ _ _ c (o) 



Taking into account that weight^c^ ^ . . . c^) = weight(c( £ ^ . . . c^) and the optimal- 
ity of the SJSF (5, Theorem 2] completes the proof of the theorem. □ 

The next question is how Algorithm [1] compares with the simple strategy of directly 

/NAF(ni)\ 

Theorem 2. Let b^i . . . bo be a standard binary expansion and &£_! . . . 6 its complement. 
Then 

|weight(NAF(value(&*_i...&o))) - weight(NAF(value(5Ti . . S Q )))\ < 2. 

This means that the strategy of taking the NAF of the complement of a number at 
best induces a saving of 2 in the weight, which is subsequently lost when adding the two 
corrective terms. In other words, this strategy never yields a lower weight than a direct 
use of the NAF. 

Proof of Theorem [3 The NAF can be computed from the standard binary expansion of 
a positive integer n by a transducer automaton from right to left (cf. [HJ Figure 2]), re- 
produced here as Figure HJ For typographical reasons, negative digits —d are written as 
d. 

In order to compare the NAFs of n and its complement, we compute these NAFs simul- 
taneously by one transducer. This transducer is shown in Figure [2 Here, _L denotes the 
end of the input and e denotes the empty word. 

The transducer reads the standard binary expansion of n from right to left and writes 
vectors of digits containing the NAF of n and its complement. The labels of the states 
correspond to carries, the "binary point" indicates the look-ahead, i.e., the number of 
digits read minus the number of digits written. The transducer can be decomposed in 
four strongly connected components: C\ = {[J} (the initial state only), C 2 = {-!,., 1 )}, 

C 3 = {-2> -i) -n} an d ^4 = {terminal state}. 

When leaving C%, the weights of the two output rows are trivially equal. After leaving 
C2, the difference of the weights is at most 1, as there is only one cycle in C 2 and its weights 
are balanced. Within C3, the weight of the output in both rows is always the same. When 
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FIGURE 1. Transducer for converting the standard binary expansion to the NAF. 




Figure 2. Transducer converting a standard binary expansion de-i . . . do 



into 



NAF(va\ue(d e 



■do)) 



NAF(value(d*_ 1 ...do)) 



i.e., the NAF and the NAF of the complement. 



leaving C 3 , another difference of at most 1 might occur. Summing up, the weight difference 
is at most 2. □ 

We can now quantify the performance of Algorithm [TJ 

Theorem 3. For a random pair (n l5 n 2 ) with < rix, n 2 < 2 e (all of these pairs are consid- 
ered to be equally likely), the expected number of multiplications when executing Algorithm^ 
is 

I_£ + o(l) = 1.555. ..£ + 0(1). 
9 
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Proof. Before considering pairs, it is essential to understand the effect of Algorithm [1] on 
a single integer, which is encoded by the transducer automaton in Figure El We number 
the states of the transducer as follows: 



number 


1 


2 


3 


4 


5 


6 


state 








•i 


i 

■Q 




'2 


2 
"0 


i 

'i 



f° 


1 

2 


1 

2 














1 

2 


1 

2 








1 

2 








1 

2 











1 

2 

















1 

2 


\° 








1 

2 


1 

2 



The transition probability matrix of the transducer is 

0\ 




1 

2 

1 

2 
2" 0/ 

i.e., the entry in row i, column j, is the probability of a transition from state i to state j. 
These are or 1/2 depending on whether there is a transition from i to j at all; the digits 
of the standard binary expansion are independently uniformly distributed. 

The probability of reaching state j after reading k digits is the jth component of 

(1, 0, 0, 0, 0, 0)P k = (o, 2~\ 2~ k , ~ + 0(2~ fc ), ~ + 0(2- fc ), ~ + 0(2^ . 

When leaving States 4 or 5, the transducer writes a digit 0, when leaving State 6, a non- 
zero digit is written. The situation in States 2 and 3 is more complicated as it depends 
on the weight of the standard binary expansion, however, since we are in these states with 
probability 2~ k , we do not have to deal with this problem. Summing up, the probability 
that the transducer writes a digit as the {k — l)st output digit is Pk-2 '■= 2/3 + 0(2~ k ). 
Let now d^) . . . d^ ) be the joint expansion of (m, n?) produced by Algorithm (TJ where 
rii and ri2 are independent and uniformly distributed random variables on {0, . . . , 2 e — 1}. 
Denote by zeros(d < - £ ' ) . . . d^ )) the number of digit vectors in d^ . . . d^°\ which implies that 
zeros(d^ . . . d^) =£+1- weight(d^ . . . d®). Then the expectation of zeros(dW . . . d< >) 
can be computed as 



E 



(zeros(dW . . . d<°>)) = J2 P ( d(k) = °) = E P K } = °) P (^^ = ° 



fc=0 



fc=0 



l — n l — n \ / 



9 



£ + 0(1), 



where we used the fact that the random variables d\ and d 2 are independent (which is a 
consequence of the fact that n\ and n 2 have been assumed to be independent). From this, 
we see that 

E (weight(d w . . . d (0) )) = £ + 1 - E (zeros(d w . . . d (0) )) = -£ + 0(1), 

9 
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and the results follows by adding the unavoidable C, squarings. □ 

Remark 4.3. This proof can easily be generalised to higher dimensions. In dimension D, 
we obtain 

E (weight(d w . . . d (0) )) = (l - (-} J£ + 0(1). 

On the other hand, the approach in [6] can be generalised to explicitly give the constants 
now hidden in the error term at the cost of more complicated transducers and a delicate 
analysis of the influence of the weight of the standard binary expansion, cf. [9]. 



5. Errors in [IT] and [16] 

The purpose of this section is to point out where the errors in [T7j and [16] occurred. 
The authors of [T7J write on page 1072 in Section 4: 

"Besides, the average proportion of non-zeros in binary representation is 
\ and in canonical-signed-digit binary representation is |. So the average 
proportion of zeros in the proposed algorithm is (1 — | x |) = |." 

This assertion is erroneous, because the multiplication of 1/2 and 1/3 cannot be justified 
in any way: The weight of a NAF is roughly 1/3 times the length of the expansion, not 
1/3 times the weight of the standard binary expansion. Moreover, the weights of the NAF 
and the standard binary expansion are only asymptotically independent, cf. [9]. 
The authors of [TB] write on page 1851: 

"Before the complement recoding, each bit of E = (e&_i . . . eieo)2 assumes a 
value of or 1 with equal probability, i.e. P(e; = 0) = P(ej = 1) = 1/2 for 
< i < k — 1, and there is no dependency between any two bits. After the 
complement recoding, it should be a value of or 1 with unequal probability, 
i.e. P(ei = 0) = 3/4 and P(e< = 1) = 1/4 for < i < k - 1. Certainly, there 
is still no dependency between any two bits." 

By construction, there is some dependence between the bits, as at most half of them can 
be equal to 1. Next, the claimed probabilities 3/4 and 1/4 are incorrect, this has also been 
discussed in detail by Yen, Lien and Moon [18] while correcting erroneous claims in [3]. 

6. Conclusions 

We analysed the multi-exponentiation algorithm from [17]. It turns out that the perfor- 
mance estimates in [17] and [16] are based on incorrect probabilistic assumptions and are 
wrong. The method due to Solinas [H] or its equivalent formulations have better perfor- 
mance. Even worse, taking the complement does not have any positive effect, because the 
non-adjacent form essentially ignores the influence of the complement. Thus the proposed 
algorithm performs as if one would simply take the NAF for both arguments, which cor- 
responds to the method proposed by [I] (without improvements) and is known to be not 
optimal. 
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